-
Notifications
You must be signed in to change notification settings - Fork 357
/
default.ini
350 lines (313 loc) · 12.8 KB
/
default.ini
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
###############################################################################
# Fakenet Configuration
[FakeNet]
# Specify whether or not FakeNet should divert traffic. Disable if you want to
# just start listeners and direct traffic manually (e.g. modify DNS server)
DivertTraffic: Yes
###############################################################################
# Diverter Configuration
[Diverter]
# Specify what mode of operation to use. Options:
# SingleHost - manipulate local traffic
# MultiHost - manipulate traffic from foreign hosts
# Auto - Use SingleMode on Windows or use MultiHost on Linux
#
# The current support for these modes on each supported platform is as follows:
# | Windows | Linux |
# -----------+------------+--------------+
# SingleHost | Functional | Experimental |
# MultiHost | - | Functional |
# NetworkMode: SingleHost
# NetworkMode: MultiHost
NetworkMode: Auto
# DebugLevel: specify fine-grained debug print flags to enable. Enabling all
# logging when verbose mode is selected results in overwhelming output, hence
# this setting. Valid values (comma-separated) are:
#
# GENPKT Generic packet information
# GENPKTV Packet analysis, displays IP, TCP, UDP fields, very wide output
# CB Diverter packet handler callback start/finish logging
# NONLOC Nonlocal packet verbose logging
# DPF Dynamic port forwarding decisions
# DPFV Dynamic port forwarding table activity
# IPNAT NAT decisions
# MANGLE Packet mangling (modification) activity
# PCAP PCAP writes of original and mangled packets
# IGN Cases where packets are forwarded as is
# FTP FTP-specific logic
# IGN-FTP Cases where packets are forwarded as is due to FTP Active Mode
# MISC Miscellaneous
# NFQUEUE NetfilterQueue activity (Linux only)
# PROCFS Procfs read/write activity (Linux only)
# IPTABLES iptables firewall rule activity (Linux only)
DebugLevel: Off
# Restrict which interface on which Fakenet-NG will intercept and handle
# packets. Specify (only) one interface and Fakenet-NG will ignore all other
# interfaces. This feature only applies to interfaces on different subnets.
# Specify interface by name only (ex: eth0). To disable, set to "Off". In
# order to run multiple instance of Fakenet-NG on different interfaces within
# the same guest, LinuxFlushIptables must be turned off to avoid the latest
# instance flushing the rules associated with other instances or restoring
# rules to an incorrect state upon exit.
LinuxRestrictInterface: Off
# Set LinuxFlushIptables to Yes to have the Linux Diverter flush all iptables
# rules before adding its FakeNet-NG-specific rules to iptables. This setting
# also restores rules via `iptables-restore` when it exits, unless its
# termination is interrupted.
LinuxFlushIptables: Yes
# Incorporated so that users of the binary release may make this work for
# various Linux distros. On Ubuntu, this is `service dns-clean restart`. For
# other distributions, it may be `nscd -I hosts`. Check your manual for
# details.
LinuxFlushDNSCommand: service dns-clean restart
# Specify whether or not to save captured traffic. You can also change
# the file prefix for the generated PCAPs.
DumpPackets: Yes
DumpPacketsFilePrefix: packets
# DHCP server running under VMWare Host-Only networking does not configure
# interface gateway and DNS server. Gateway must be configured to allow
# Windows to attempt to route external traffic so that FakeNet could
# could intercept it. This option will automatically generate and set
# appropriate gateway and DNS addresses to allow normal operation.
FixGateway: Yes
FixDNS: Yes
# Enable 'ModifyLocalDNS' to statically set DNS server to the local machine.
# Linux: Modifies (and restores) /etc/resolv.conf on Linux to make this an
# ephemeral change.
ModifyLocalDNS: Yes
# Enable 'StopDNSService' to stop Windows DNS client to see the actual
# processes resolving domains. This is a no-op on Linux, until such time as DNS
# caching is observed to interfere with finding the pid associated with a DNS
# request.
StopDNSService: Yes
# Enable 'RedirectAllTraffic' to optionally divert traffic going to ports not
# specifically listed in one of the listeners below. 'DefaultTCPListener' and
# 'DefaultUDPListener' will handle TCP and UDP traffic going to unspecified ports.
#
# NOTE: Setting default UDP listener will intercept all DNS traffic unless you
# enable a dedicated UDP port 53 DNS listener or add UDP port 53 to the
# 'BlackListPortsUDP' below so that system's default DNS server is used instead.
RedirectAllTraffic: Yes
DefaultTCPListener: ProxyTCPListener
DefaultUDPListener: ProxyUDPListener
# Specify TCP and UDP ports to ignore when diverting packets.
# For example, you may want to avoid diverting UDP port 53 (DNS) traffic
# when trying to intercept a specific process while allowing the rest to
# function normally
#
# NOTE: This setting is only honored when 'RedirectAllTraffic' is enabled.
BlackListPortsTCP: 139
BlackListPortsUDP: 67, 68, 137, 138, 443, 1900, 5355
# Specify processes to ignore when diverting traffic. Windows example used
# here.
# ProcessBlackList: java.exe
# Specify processes to consider when diverting traffic (others will be
# ignored). Linux examples used here.
# ProcessWhiteList: wget, nc
# Specify hosts to ignore when diverting traffic.
# HostBlackList: 6.6.6.6
###############################################################################
# Listener Configuration
#
# Listener configuration consists of generic settings used by the diverter which
# are the same for all listeners and listener specific settings.
#
# NOTE: Listener section names will be used for logging.
#
# NOTE: Settings labels are not case-sensitive.
#
# The following settings are available for all listeners:
# * Enabled - specify whether or not the listener is enabled.
# * Port - TCP or UDP port to listen on.
# * Protocol - TCP or UDP
# * Listener - Listener name to handle traffic.
# * ProcessWhiteList - Only traffic from these processes will be modified
# and the rest will simply be forwarded.
# * ProcessBlackList - Traffic from all but these processes will be simply forwarded
# and the rest will be modified as needed.
# * HostWhiteList - Only traffic to these hosts will be modified and
# the rest will be simply forwarded.
# * HostBlackList - Traffic to these hosts will be simply forwarded
# and the rest will be modified as needed.
# * ExecuteCmd - Execute command on the first connection packet. This is feature is useful
# for extending FakeNet-NG's functionality (e.g. launch a debugger on the
# connecting pid to help with unpacking and decoding.)
#
# The following format string variables are made available:
# * {pid} - process id
# * {procname} - process executable name
# * {src_addr} - source address
# * {src_port} - source port
# * {dst_addr} - destination address
# * {dst_port} - destination port
#
# Listener entry which does not specify a specific listener service
# will still redirect all packets to the local machine on the specified port and
# subject to all the filters (processes, hosts, etc.). However, you must set-up a
# third party service (e.g. proxy servers) to accept these connections. This feature can be
# used to provide FakeNet-NG's passive traffic diverting and filtering capabilities to other
# applications.
#
# Listener specific settings:
#
# * Timeout - Set connection timeout for any listeners that support
# TCP connections (e.g. RawListener, DNSListener, HTTPListener
# SMTPListener).
# * UseSSL - Enable SSL support on the listener (RawListener, HTTPListener)
# * Webroot - Set webroot path for HTTPListener.
# * DumpHTTPPosts - Store HTTP Post requests for the HTTPListener.
# * DumpHTTPPostsFilePrefix - File prefix for the stored HTTP Post requests used by the HTTPListener.
# * TFTPFilePrefix - File prefix for the stored tftp uploads used by the TFTPListener.
# * DNSResponse - IP address to respond with for A record DNS queries. (DNSListener)
# * NXDomains - A number of DNS requests to ignore to let the malware cycle through
# all of the backup C2 servers. (DNSListener)
# * Banner - FTPListener, IRCListener: FTP or IRC banner to display.
# Valid settings are any banner string, or !<key> where
# <key> is a valid key in the BANNERS dictionary within
# FTPListener.py or IRCListener.py, or !random to
# randomize among the banners in the BANNERS dictionary.
# The default value if none is specified is !generic,
# which selects the banner in the BANNERS dictionary going
# by that key. Banner string may specify the following
# escapes/insertions:
# {servername} - ServerName setting value
# {tz} - Time zone, currently hard-coded to 'UTC'
# * ServerName - FTPListener, IRCListener: FTP or IRC server name for
# insertion into selected default banners or into a
# user-specified banner string. Valid settings are any
# hostname string, !hostname to insert the actual hostname
# of the system, or !random to generate a random hostname
# between 1 and 15 characters (inclusive).
[ProxyTCPListener]
Enabled: True
Protocol: TCP
Listener: ProxyListener
Port: 38926
Listeners: HTTPListener, RawListener, FTPListener, DNSListener, POPListener, SMTPListener, TFTPListener, IRCListener
Hidden: False
[ProxyUDPListener]
Enabled: True
Protocol: UDP
Listener: ProxyListener
Port: 38926
Listeners: RawListener, DNSListener, TFTPListener, FTPListener
Hidden: False
[Forwarder]
Enabled: False
Port: 8080
Protocol: TCP
ProcessWhiteList: chrome.exe
Hidden: False
[RawTCPListener]
Enabled: True
Port: 1337
Protocol: TCP
Listener: RawListener
UseSSL: No
Timeout: 10
Hidden: False
# To read about customizing responses, see docs/CustomResponse.md
# Custom: sample_custom_response.ini
[RawUDPListener]
Enabled: True
Port: 1337
Protocol: UDP
Listener: RawListener
UseSSL: No
Timeout: 10
Hidden: False
# To read about customizing responses, see docs/CustomResponse.md
# Custom: sample_custom_response.ini
[FilteredListener]
Enabled: False
Port: 31337
Protocol: TCP
Listener: RawListener
UseSSL: No
Timeout: 10
ProcessWhiteList: ncat.exe, nc.exe
HostBlackList: 5.5.5.5
Hidden: False
[DNS Server]
Enabled: True
Port: 53
Protocol: UDP
Listener: DNSListener
ResponseA: 192.0.2.123
ResponseMX: mail.evil2.com
ResponseTXT: FAKENET
NXDomains: 0
Hidden: False
[HTTPListener80]
Enabled: True
Port: 80
Protocol: TCP
Listener: HTTPListener
UseSSL: No
Webroot: defaultFiles/
Timeout: 10
#ProcessBlackList: dmclient.exe, OneDrive.exe, svchost.exe, backgroundTaskHost.exe, GoogleUpdate.exe, chrome.exe
DumpHTTPPosts: Yes
DumpHTTPPostsFilePrefix: http
Hidden: False
# To read about customizing responses, see docs/CustomResponse.md
# Custom: sample_custom_response.ini
[HTTPListener443]
Enabled: True
Port: 443
Protocol: TCP
Listener: HTTPListener
UseSSL: Yes
Webroot: defaultFiles/
Timeout: 10
DumpHTTPPosts: Yes
DumpHTTPPostsFilePrefix: http
Hidden: False
[SMTPListener]
Enabled: True
Port: 25
Protocol: TCP
Listener: SMTPListener
UseSSL: No
Hidden: False
[FTPListener21]
Enabled: True
Port: 21
Protocol: TCP
Listener: FTPListener
UseSSL: No
FTProot: defaultFiles/
PasvPorts: 60000-60010
Hidden: False
Banner: !generic
ServerName: !gethostname
[FTPListenerPASV]
Enabled: True
Port: 60000-60010
Protocol: TCP
Hidden: False
[IRCServer]
Enabled: True
Port: 6667
Protocol: TCP
Listener: IRCListener
UseSSL: No
Banner: !generic
ServerName: !gethostname
Timeout: 30
Hidden: False
[TFTPListener]
Enabled: True
Port: 69
Protocol: UDP
Listener: TFTPListener
TFTPRoot: defaultFiles/
Hidden: False
TFTPFilePrefix: tftp
[POPServer]
Enabled: True
Port: 110
Protocol: TCP
Listener: POPListener
UseSSL: No
Hidden: False